remcos | 13641bd80132964e830b3961ccf6300358bfab5149aad32571998a98e2413db1

Analysis

max time kernel
142s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/09/2024, 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Backdoor.exe
Size

36KB
MD5

70aadafbc88f381a60171fb21ae4e5ba
SHA1

e7cfd181af802976134b23177087ba5dcd518a64
SHA256

13641bd80132964e830b3961ccf6300358bfab5149aad32571998a98e2413db1
SHA512

19379c0379c5d186514be3faf5839315473d74abe2366f1067fef31fe82300b5f8cf507a58a6e70851e0cb5b76ba4713919ae626232806c953d40a1181146fa1
SSDEEP

768:yNnmZ/8vPlLUdhfJ8v6utFpVsuRregrWChgz/b7Dsr1:Unwu4DejVLyOhgz/Yr

Score

10^/10

remcos host discovery evasion persistence rat trojan

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

top-max.gl.at.ply.gg:65091

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
winka.exe
copy_folder
winled
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
methfsaf
keylog_path
%AppData%
mouse_option
false
mutex
remcos_wexxmpxcql
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\winled\\winka.exe\""	winka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\winled\\winka.exe\""	Backdoor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\winled\\winka.exe\""	Backdoor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\winled\\winka.exe\""	winka.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\winled\\winka.exe\""	winka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Backdoor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\winled\\winka.exe\""	Backdoor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winka.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	Backdoor.exe

Executes dropped EXE 1 IoCs

pid	Process
1836	winka.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\winled\\winka.exe\""	Backdoor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\winled\\winka.exe\""	Backdoor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\winled\\winka.exe\""	winka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\winled\\winka.exe\""	winka.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	Backdoor.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	winka.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Backdoor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3916	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133721126605270849"	chrome.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
4868	reg.exe
2324	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3916	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1836	winka.exe
1836	winka.exe
4928	chrome.exe
4928	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1836	winka.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3940 wrote to memory of 216	3940	Backdoor.exe	89
PID 3940 wrote to memory of 216	3940	Backdoor.exe	89
PID 3940 wrote to memory of 216	3940	Backdoor.exe	89
PID 216 wrote to memory of 4868	216	cmd.exe	91
PID 216 wrote to memory of 4868	216	cmd.exe	91
PID 216 wrote to memory of 4868	216	cmd.exe	91
PID 3940 wrote to memory of 4628	3940	Backdoor.exe	92
PID 3940 wrote to memory of 4628	3940	Backdoor.exe	92
PID 3940 wrote to memory of 4628	3940	Backdoor.exe	92
PID 4628 wrote to memory of 3916	4628	cmd.exe	95
PID 4628 wrote to memory of 3916	4628	cmd.exe	95
PID 4628 wrote to memory of 3916	4628	cmd.exe	95
PID 4628 wrote to memory of 1836	4628	cmd.exe	96
PID 4628 wrote to memory of 1836	4628	cmd.exe	96
PID 4628 wrote to memory of 1836	4628	cmd.exe	96
PID 1836 wrote to memory of 2356	1836	winka.exe	97
PID 1836 wrote to memory of 2356	1836	winka.exe	97
PID 1836 wrote to memory of 2356	1836	winka.exe	97
PID 1836 wrote to memory of 3676	1836	winka.exe	98
PID 1836 wrote to memory of 3676	1836	winka.exe	98
PID 1836 wrote to memory of 3676	1836	winka.exe	98
PID 2356 wrote to memory of 2324	2356	cmd.exe	100
PID 2356 wrote to memory of 2324	2356	cmd.exe	100
PID 2356 wrote to memory of 2324	2356	cmd.exe	100
PID 4928 wrote to memory of 2476	4928	chrome.exe	111
PID 4928 wrote to memory of 2476	4928	chrome.exe	111
PID 4928 wrote to memory of 4564	4928	chrome.exe	112
PID 4928 wrote to memory of 4564	4928	chrome.exe	112
PID 4928 wrote to memory of 4564	4928	chrome.exe	112
PID 4928 wrote to memory of 4564	4928	chrome.exe	112
PID 4928 wrote to memory of 4564	4928	chrome.exe	112
PID 4928 wrote to memory of 4564	4928	chrome.exe	112
PID 4928 wrote to memory of 4564	4928	chrome.exe	112
PID 4928 wrote to memory of 4564	4928	chrome.exe	112
PID 4928 wrote to memory of 4564	4928	chrome.exe	112
PID 4928 wrote to memory of 4564	4928	chrome.exe	112
PID 4928 wrote to memory of 4564	4928	chrome.exe	112
PID 4928 wrote to memory of 4564	4928	chrome.exe	112
PID 4928 wrote to memory of 4564	4928	chrome.exe	112
PID 4928 wrote to memory of 4564	4928	chrome.exe	112
PID 4928 wrote to memory of 4564	4928	chrome.exe	112
PID 4928 wrote to memory of 4564	4928	chrome.exe	112
PID 4928 wrote to memory of 4564	4928	chrome.exe	112
PID 4928 wrote to memory of 4564	4928	chrome.exe	112
PID 4928 wrote to memory of 4564	4928	chrome.exe	112
PID 4928 wrote to memory of 4564	4928	chrome.exe	112
PID 4928 wrote to memory of 4564	4928	chrome.exe	112
PID 4928 wrote to memory of 4564	4928	chrome.exe	112
PID 4928 wrote to memory of 4564	4928	chrome.exe	112
PID 4928 wrote to memory of 4564	4928	chrome.exe	112
PID 4928 wrote to memory of 4564	4928	chrome.exe	112
PID 4928 wrote to memory of 4564	4928	chrome.exe	112
PID 4928 wrote to memory of 4564	4928	chrome.exe	112
PID 4928 wrote to memory of 4564	4928	chrome.exe	112
PID 4928 wrote to memory of 4564	4928	chrome.exe	112
PID 4928 wrote to memory of 4564	4928	chrome.exe	112
PID 4928 wrote to memory of 4380	4928	chrome.exe	113
PID 4928 wrote to memory of 4380	4928	chrome.exe	113
PID 4928 wrote to memory of 4196	4928	chrome.exe	114
PID 4928 wrote to memory of 4196	4928	chrome.exe	114
PID 4928 wrote to memory of 4196	4928	chrome.exe	114
PID 4928 wrote to memory of 4196	4928	chrome.exe	114
PID 4928 wrote to memory of 4196	4928	chrome.exe	114
PID 4928 wrote to memory of 4196	4928	chrome.exe	114

C:\Users\Admin\AppData\Local\Temp\Backdoor.exe
"C:\Users\Admin\AppData\Local\Temp\Backdoor.exe"
1⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Checks computer location settings
- Adds Run key to start application
- Modifies WinLogon
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Windows\SysWOW64\cmd.exe
  /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4628
- - C:\Windows\SysWOW64\PING.EXE
    PING 127.0.0.1 -n 2
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3916
- - C:\Users\Admin\AppData\Roaming\winled\winka.exe
    "C:\Users\Admin\AppData\Roaming\winled\winka.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies WinLogon
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1836
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2356
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2324
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
      4⤵
      PID:3676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3808,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=4148 /prefetch:8
1⤵
PID:4912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffe6a72cc40,0x7ffe6a72cc4c,0x7ffe6a72cc58
  2⤵
  PID:2476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1892,i,2764258886742194793,14674398527643942234,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1888 /prefetch:2
  2⤵
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2196,i,2764258886742194793,14674398527643942234,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2432 /prefetch:3
  2⤵
  PID:4380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2236,i,2764258886742194793,14674398527643942234,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2456 /prefetch:8
  2⤵
  PID:4196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,2764258886742194793,14674398527643942234,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:4480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3436,i,2764258886742194793,14674398527643942234,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:3760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4288,i,2764258886742194793,14674398527643942234,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4524 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4456,i,2764258886742194793,14674398527643942234,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4248 /prefetch:8
  2⤵
  PID:4532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4600,i,2764258886742194793,14674398527643942234,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4736 /prefetch:8
  2⤵
  PID:3664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4860,i,2764258886742194793,14674398527643942234,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4824 /prefetch:8
  2⤵
  PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4612,i,2764258886742194793,14674398527643942234,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5048 /prefetch:8
  2⤵
  PID:5160

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
fa075dd6b4380d0d6d7457413d6b4f80

SHA1
6effa97a213ff0e6b54cbd5715a0b8024080e43c

SHA256
49de2ceb4b8fd4d40226c6b9620a790740d4dfb20c12eda0620a1a8f9511d1f7

SHA512
7a572dd113d4c97db9bc776891e262eb8f0259e46bf41a130c624b0bdb8898a9ac2a83c3d8e9d0e5356a6530a4ee336ba002164dddd0c102de5dece4ff8e4297

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
a199d6f55e2b895fa2ac7f7f362e4dcb

SHA1
25675e6cc3cb8ffaf977fbda637455294ca47d62

SHA256
44b7122d79f1b303315ef9701615d133f032507897c6c971ea2a097584a346db

SHA512
d9d9afc1c0b663c4d124d264cda6dc9359bb2368b07bcd77060cf51340a4f5db5181b122c3f855ab0bafe83aa630477991a0ac271cba8695bf9f47450d9131a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
ee2133a2dd9defef5df80f3e949e8ef4

SHA1
b3df890796196c20bf8c4e4771328739e82d6096

SHA256
11ea240752886ac2741bc1f3adcf26f8e815bdb53edecc79387041009cf25f8d

SHA512
07641d97048a748e01ad54b2982277ec01ac72d95bf4f4b2818861e11725e2143f6001fa96f739d984c36e31051f9e4e3aa4a889ef8ee14574bdb4a21132d487

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0d6f85cd7b031e6ead55e18f611fae42

SHA1
e33ba94b614e8e1199a68d17c8e9fa50ff737107

SHA256
a24abd00cd5ce89ef5d707582bb36fa9f1145087994a2c0566276c036937970c

SHA512
f802cc9a9aa5d6eab166aab79293ad288760dab11949f77221cf2e80fbba108d06cd4b48cb9bd039636ed54a01f072a3bf1311ef5783b7525adbcd48dafc60ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
70300d7549ba3e1da98a9d2742cfb875

SHA1
7eb886ab42faf2d1032f26b1fe22ebd4beddbdc9

SHA256
34a036e4ac50f2ed0a6329bb0fb8400ba9c1ab87ef2334663db95ed9cb8e6c55

SHA512
246e318ebd01575e43678de512713b3e01fed7be9c54fe4f0b82930c291f0b4955110f1bce1aecaf6b087d2f9570897497bd6a658c6a8944f12ae05ec354c726

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
212KB

MD5
042a7a61ebbe9d11850629640e6a5a09

SHA1
170dc67b0be73839c52fc060a4322341e462ee61

SHA256
ea31c5a5dfc3eac1b5691260b03bb2a76c4baa64d0df4c0eaab3077183bebd4f

SHA512
af5583c1aab809813bb89cfa79db0605f5217f3b10aa35a240d9b083b776b95a70fffd61fe22cc606ebb7ae8dbef069493c2ca923f7921225072df1f8c5bcbe3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
212KB

MD5
1a1f1ff4dc6a963e62084542ea757dc9

SHA1
e6d7d7c79ea00c5fd4701dbccb68253f82444f8d

SHA256
a7000451bfc49f2ae6e459c8704c34f66570feebb0c1d166e34bc241b3fc952d

SHA512
750de627d466851313b00947929cc92bc8d158bce2bbc0b8fb93e65bf5d71c6f8f825e583e4d1be635e06345d1a6fdc533175ac5795c334b0536bad62deb5f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.bat

Filesize
98B

MD5
c3cd37a13560b4e4fc8a784bd5374dd8

SHA1
30cc56aee22b8a29cbda43c6e340311a63e98196

SHA256
3b3369170ba92a3d38b5ad0106eed53e58f32aa70fdcc4fac0b7047019474104

SHA512
5b36df4e1b7764168ea72048134eaa0933cb0511febd2d89cb5aa1d0b6f35c7cb5fadfcf205e37c96f200fd0c5b9eaff592248d17b93300a29581e2c5bf05679

Download Submit
C:\Users\Admin\AppData\Roaming\winled\winka.exe

Filesize
36KB

MD5
70aadafbc88f381a60171fb21ae4e5ba

SHA1
e7cfd181af802976134b23177087ba5dcd518a64

SHA256
13641bd80132964e830b3961ccf6300358bfab5149aad32571998a98e2413db1

SHA512
19379c0379c5d186514be3faf5839315473d74abe2366f1067fef31fe82300b5f8cf507a58a6e70851e0cb5b76ba4713919ae626232806c953d40a1181146fa1

Download Submit
memory/1836-174-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1836-171-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1836-178-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1836-14-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1836-177-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1836-167-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1836-168-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1836-169-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1836-170-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1836-13-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1836-172-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1836-173-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1836-50-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1836-175-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1836-176-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3940-6-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3940-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download